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UNITED STATES DISTRICT COURT 
SOUTHERN DISTRICT OF NEW YORK 

---X 

UNITED STATES OF AMERICA : 


-v- 


JOSHUA ADAM SCHULTE, 


Defendant. : 

-X 


DECLARATION OF STEVEN M. 
BELLOVIN, Ph.D., IN SUPPORT OF 
SUPPRESSION 

17 Cr. 548 (PAC) 


STEVEN M. BELLOVIN, Ph.D., declares under penalty of perjury: 

1. I am the Percy K. and Vida L.W. Hudson Professor of Computer Science at 
Columbia University, where I have taught since 2005. I make this declaration for the limited 
purpose of providing expert support for Defendant Joshua Adam Schulte’s motion to 
suppress and for an evidentiary hearing under Franks v. Delaware, 438 U.S. 154 (1978). 

This declaration is based on my personal knowledge (including my training and experience 
as a computer scientist), my review of documents produced by the government in discovery, 
and my discussions with members of Mr. Schulte’s defense team. 

2. Because this declaration is being made for a limited purpose, it does not include 
everything I know about this case or the matters discussed herein. 

My Qualifications 

3. My curriculum vitae is annexed hereto as Exhibit “A.” In summary, I received my 
doctorate in computer science in 1982 from the University of North Carolina at Chapel Hill. 1 
am currently the Percy K. and Vida L.W. Hudson Professor of Computer Science at 
Columbia University and an affiliate faculty member at Columbia Law School. I have been a 
Professor of Computer Science at Columbia since 2005. I have also worked as Chief 




Case l:17-cr-00548-PAC Document 110 Filed 07/03/19 Page 2 of 4 


Technologist for the Federal Trade Commission (2012-2013), Adjunct Professor of 
Computer Science at the University of Pennsylvania (2002-2004), and as a consultant and 
research fellow for AT&T (1998-2012). 

4. I am also a member of the National Academy of Engineering (“National Academy”) 
and have served on many National Academy study committees and the National Academy’s 
Computer Science and Telecommunications Board. I have also been part of the leadership of 
the Internet Engineering Task Force, serving on the Internet Architecture Board and as a 
Security Area Director. I have also served on several advisory committees at the Department 
of Homeland Security and the Election Assistance Commission. 

5. I have published extensively on a wide range of subjects relating to Internet security, 
computer science, and forensic computer analysis. 

The Meaning and Significance of a Computer’s “Page File” 

6. I understand that when the government applied in April 2017 for a warrant to search 
Mr. Schulte’s devices for evidence of child pornography, the government claimed it had 
found a single “photograph” or image of what “appear[ed] to be child pornography” on Mr. 
Schulte’s “desktop computer.” 

7. In fact, according to documents produced by the government in discovery, the image 
was discovered in a specific area of Mr. Schulte’s desktop computer known as the “page 
file.” This location should have been obvious to the investigating agents because the “file 
path” of the image—the written description of where on the computer the image was 
found—indicates that it was found within “pagefile.sys,” an unmistakable reference to the 
page file. 
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8. A “page file” (sometimes referred to as a “paging file” or “swap file”) is an area of 
the computer that acts as an extension of the computer’s Random Access Memory (RAM). If 
information in RAM is not actively being used by the computer, or has not recently been 
used, the operating system (e.g., Windows) may move it to the page file in order to free up 
memory space in RAM. 

9. Significantly, the operating system, not the computer’s user, creates and maintains 
the page file. Indeed, the contents of the page file are generally not accessible to the 
computer’s user. Similarly, computer users generally cannot modify or determine the 
contents of a page file. And the contents of a page file do not have file names and do not 
resemble ordinary user files. 

10. Because of the nature of a page file, the presence of a photograph or other image in 
a page file, standing alone, does not provide a basis for concluding that the photograph or 
image was ever knowingly accessed, received, possessed, or even seen by a computer user. 
For example, when a computer user visits an Internet website, the web browser can 
automatically “pre-fetch” or download images into RAM from the website, thus allowing 
them to be stored in the page file, even if the user never viewed those images or intentionally 
“clicked” on them. An image can thus end up in the computer’s page file without the user’s 
knowledge—and even if the user never saw it, intentionally accessed it, or knowingly 
acquired it. Indeed, since the page file contains pieces of RAM that have not been used 
recently, the presence of an image on the page file is suggestive of an image that was not 
viewed recently, if at all. 

11. In this case, moreover, the limited “metadata” associated with the image—the 
information about the origin or format of the image—does not indicate when the image was 
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created, accessed, or last viewed by a user (if ever). Accordingly, the image may have been 
residing in the page file of Mr. Schulte’s computer for a long period of time before it was 
discovered by law enforcement—indeed, it may have been there ever since the computer was 
first used. Put another way, the mere fact that the image was found in Mr. Schulte’s page file 
in April 2017 does not show that it had arrived on the computer recently, as opposed to many 
months or years earlier. 

12. Finally, about 20 percent of the image is blacked out. While there are various 
reasons this may have occurred, the blacking out is consistent with the image having been 
automatically downloaded to Mr. Schulte’s computer, and stored to the page file, without 
him ever seeing or knowingly acquiring it. 

I declare under penalty of perjury that the foregoing is true and correct. 


Dated: New York, New York 
June 28, 2019 



Steven M. Bellovin, Ph.D. 
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Steven M. Bellovin 

Percy K. and Vida L.W. Professor of Computer Science 

smb at cs.columbia.edu 
http://www.cs.columbia.edur smb 


Education 

1982 Ph.D., University of North Carolina at Chapel Hill. Dissertation: Verifiably Cor¬ 
rect Code Generation Using Predicate Transformers', advisor: David L. Parnas. 

1977 M.S., University of North Carolina at Chapel Hill. 

1972 B.A., Columbia University. 

Employment 

2014-now Percy K. and Vida L.W. Professor of Computer Science, Columbia Uni¬ 
versity. 

2005-2014 Professor of Computer Science, Columbia University. 

2012-2013 Chief Technologist, Federal Trade Commission 

2002-2004 Adjunct Professor of Computer Science, University of Pennsylvania. 

2005-2012 AT&T, consultant 

1998-2004 AT&T Fellow, AT&T Labs—Research. 

1987-1998 Distinguished Member of the Technical Staff, AT&T Bell Laboratories 
and AT&T Labs—Research. 

1982-1987 Member of the Technical Staff, AT&T Bell Laboratories. 

1977-1978 Instructor, Dept, of Computer Science, University of North Carolina at 
Chapel Hill. 

Honors 

2014 Elected to the Cybersecurity Hall of Fame 

2006 Received the 2007 NIST/NSA National Computer Systems Security Award 
2001 Elected to the National Academy of Engineering. 

1998 Named an AT&T Fellow. 

1995 Received the Usenix Lifetime Achievement Award (“The Flame”), along with 
Tom Truscott and Jim Ellis, for our role in creating Usenet. 
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Books and Chapters 

• Salvatore Stolfo, Steven M. Bellovin, Angelos D. Keromytis, Sara Sinclair, Sean 
Smith, and Shlomo Hershkop, editors. Insider Attack and Cyber Security: Be¬ 
yond the Hacker (Advances in Information Security). Springer, 2008. 

• Seymour E. Goodman and Herbert S. Lin, editors. Toward a Safer and More 
Secure Cyberspace. National Academy Press, 2007. 

• Stephen T. Kent and Lynette I. Millett, editors. Who Goes There? Authentication 
Through the Lens of Privacy. National Academies Press, 2003. 

• John L. Hennessy, David A. Patterson, and Herbert S. Lin, editors. Information 
Technology for Counterterrorism: Immediate Actions and Future Possibilities. 
National Academies Press, 2003. 

• William R. Cheswick, Steven M. Bellovin, and Aviel D. Rubin. Firewalls and 
Internet Security; Repelling the Wily Hacker. Addison-Wesley, Reading, MA, 
second edition, 2003. 

• Making the Nation Safer: The Role of Science and Technology in Countering 
Terrorism. National Academies Press, 2002. 

• Stephen T. Kent and Lynette I. Millett, editors. IDs — Not That Easy: Questions 
About Nationwide Identity Systems. National Academies Press, 2002. 

• Lred B. Schneider, editor. Trust in Cyberspace. National Academy Press, 1999. 

• Network security issues. In Peter Denning and Dorothy Denning, editors, Inter¬ 
net Besieged: Countering Cyberspace Scofflaws. ACM Press, 1997. 

• Network security issues. In A. Tucker, editor, CRC Computer Science and 
Engineering Handbook. CRC Press, 1996. 

• Security and software engineering. In B. Krishnamurthy, editor. Practical Reusable 
UNIX Software. John Wiley & Sons, 1995. 

• William R. Cheswick and Steven M. Bellovin. Firewalls and Internet Security: 
Repelling the Wily Hacker. Addison-Wesley, Reading, MA, first edition, 1994. 


Papers and Articles 

• Steven M. Bellovin, Matt Blaze, and Susan Landau. Comments on proposed 
remote search rules, October 2014. 

• Steven M. Bellovin. The economics of cyberwar. Technical Report CUCS-010- 
14, Department of Computer Science, Columbia University, April 2014. Pre¬ 
sented at the Institute for New Economic Thinking’s Human After All. 
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• Steven M. Bellovin, Matt Blaze, Sandy Clark, and Susan Landau. Lawful hack¬ 
ing: Using existing vulnerabilities for wiretapping on the Internet. Northwestern 
Journal of Technology & Intellectual Property , 12(1), 2014. 

• Steven M. Bellovin, Renee M. Hutchins, Tony Jebara, and Sebastian Zimmeck. 
When enough is enough: Location tracking, mosaic theory, and machine learn¬ 
ing. NYU Journal of Law and Liberty, 8(2):555-628, 2014. 

• Sebastian Zimmeck and Steven M. Bellovin. Privee: An architecture for auto¬ 
matically analyzing web privacy policies. In 23rd USENIX Security Symposium 
(USENIX Security 14), pages 1-16, San Diego, CA, August 2014. USENIX 
Association. 

• Steven M. Bellovin. Position paper: Security and simplicity. In W3C/IAB Work¬ 
shop on Strengthening the Internet Against Pervasive Monitoring (STRINT), March 
2014. 

• Binh Vo and Steven Bellovin. Anonymous publish-subscribe systems. In SE- 
CURECOMM, Beijing, September 2014. 

• Vasilis Pappas, Fernando Krell, Binh Vo, Vlad Kolesnimov, Tal Malkin, Se- 
ung Geol Choi, Wesley George, Angelos Keromytis, and Steven M. Bellovin. 
Blind seer: A scalable private DBMS. In IEEE Symposium on Security and 
Privacy, May 2014. 

• Steven M. Bellovin. Mysterious checks from Mauborgne to Fabyan. Technical 
Report CUCS-012-14, Department of Computer Science, Columbia University, 
April 2014. A later version will appear in Cryptologia. 

• Steven M. Bellovin. Vernam, Mauborgne, and Friedman: The one-time pad 
and the index of coincidence. Technical Report CUCS-014-14, Department of 
Computer Science, Columbia University, May 2014. 

• S. Bellovin, R. Bush, and D. Ward. Security Requirements for BGP Path Vali¬ 
dation. RFC 7353, RFC Editor, August 2014. 

• Steven M. Bellovin. What should crypto look like? IEEE Security & Privacy, 
12(6): 108-108, November 2014. 

• Steven M Bellovin. Dr. Strangecode. IEEE Security & Privacy, 12(3), May- 
June 2014. 

• Steven M. Bellovin. Submission to the Privacy and Civil Liberties Oversight 
Board: Technical issues raised by the Section 215 and Section 702 surveillance 
programs, July 2013. 

• Steven M. Bellovin, Matt Blaze, Sandy Clark, and Susan Landau. Going bright: 
Wiretapping without weakening communications infrastructure. IEEE Security 
& Privacy, 11 (1):62—72, January-February 2013. 
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• Steven M. Bellovin. Why healthcare.gov has so many problems. CNN.com, 
October 15 2013. 

• Steven M. Bellovin. Military cybersomethings. IEEE Security & Privacy, 

11 (3):88, May-June 2013. 

• Steven M. Bellovin. Walls and gates. IEEE Security & Privacy, 6(11), November- 
December 2013. 

• Steven M. Bellovin, Scott O. Bradner, Whitfield Diffie, Susan Landau, and Jen¬ 
nifer Rexford. Can it really work? Problems with extending EINSTEIN 3 to 
critical infrastructure. National Security Journal, 3, 2012. 

• Carl Landwehr, Dan Boneh, John Mitchell, Steven M. Bellovin, Susan Landau, 
and Mike Lesk. Privacy and cybersecurity: The next 100 years. Proceedings of 
the IEEE, PP(99):1-15, 2012. 

• Maritza Johnson, Serge Egelman, and Steven M. Bellovin. Facebook and pri¬ 
vacy: It’s complicated. In Symposium On Usable Privacy and Security (SOUPS), 
July 2012. 

• Michelle Madejski, Maritza Johnson, and Steven M. Bellovin. A study of pri¬ 
vacy setting errors in an online social network. In Proceedings ofSESOC 2012, 
2012. 

• Mariana Raykova, Hang Zhao, and Steven M. Bellovin. Privacy enhanced ac¬ 
cess control for outsourced data sharing. In Financial Cryptography and Data 
Security, March 2012. 

• Mariana Raykova, Ang Cui, Binh Vo, Bin Liu, Tal Malkin, Steven M. Bellovin, 
and Salvatore J. Stolfo. Usable secure private search. IEEE Security & Privacy, 
10(5), September-October 2012. 

• F. Gont and S. Bellovin. Defending against Sequence Number Attacks. RFC 
6528, RFC Editor, February 2012. 

• Steven M. Bellovin. The major cyberincident investigations board. IEEE Secu¬ 
rity & Privacy, 10(6):96, November-December 2012. 

• Steven M. Bellovin. Fighting the last war. IEEE Security & Privacy, 10(3), 
May-June 2012. 

• Steven M. Bellovin, Scott O. Bradner, Whitfield Diffie, Susan Landau, and Jen¬ 
nifer Rexford. As simple as possible—but not more so. Communications of the 
ACM, 2011. Note: this is a shorter version of “Can it really work?”. 

• Maritza L. Johnson, Steven M. Bellovin, and Angelos D. Keromytis. Computer 
security research with human subjects: Risks, benefits and informed consent. In 
Financial Cryptography and Data Security, Lecture Notes in Computer Science. 
Springer Berlin / Heidelberg, 2011. 
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• Michelle Madejski, Maritza Johnson, and Steven M. Bellovin. The failure of 
online social network privacy settings. Technical Report CUCS-010-11, Depart¬ 
ment of Computer Science, Columbia University, February 2011. 

• Sal Stolfo, Steven M. Bellovin, and David Evans. Measuring security. IEEE 
Security & Privacy, 9(3):88, May-June 2011. 

• Hang Zhao, Jorge Lobo, Arnab Roy, and Steven M Bellovin. Policy refinement 
of network services for MANETs. In The 12tli IFIP/IEEE International Sym¬ 
posium on Integrated Network Management (IM 2011), Dublin, Ireland, May 
2011 . 

• Steven M. Bellovin. Frank Miller: Inventor of the one-time pad. Technical 
Report CUCS-009-11, Department of Computer Science, Columbia University, 
March 2011. A revised version appeared in Cryptologia 35(3), July 2011. 

• Mariana Raykova, Hang Zhao, and Steven M. Bellovin. Privacy enhanced access 
control for outsourced data sharing. Technical Report CUCS-039-11, Depart¬ 
ment of Computer Science, Columbia University, 2011. 

• Vasilis Pappas, Mariana Raykova, Binh Vo, Steven M. Bellovin, and Tal Malkin. 
Private search in the real world. In Proceedings of the 2011 Annual Computer 
Security Applications Conference, December 2011. 

• Steven M. Bellovin. Clouds from both sides. IEEE Security & Privacy, 9(3), 
May-June 2011. 

• Steven M. Bellovin. Security think. IEEE Security & Privacy, 9(6), November- 
December 2011. 

• Maritza Johnson and Steven M. Bellovin. Policy management for e-health 
records. Usenix HealthSec, August 2010. Position paper. 

• Hang Zhao and Steven M. Bellovin. High performance firewalls in MANETs. 
In International Conference on Mobile Ad-hoc and Sensor Networks, pages 154— 
160, December 2010. 

• Shreyas Srivatsan, Maritza Johnson, and Steven M. Bellovin. Simple-VPN: 
Simple IPsec configuration. Technical Report CUCS-020-10, Department of 
Computer Science, Columbia University, July 2010. 

• Elli Androulaki, Binh Vo, and Steven M. Bellovin. A real-world identity man¬ 
agement system with master secret revocation. Technical Report CUCS-008-10, 
Department of Computer Science, Columbia University, April 2010. 

• Elli Androulaki and Steven M. Bellovin. A secure and privacy-preserving tar¬ 
geted ad-system. In Proceedings of the 1st Workshop on Real-Life Crypto¬ 
graphic Protocols and Standardization, January 2010. 
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• Vasilis Pappas, Mariana Raykova, Binh Vo, Steven M. Bellovin, and Tal Malkin. 
Trade-offs in private search. Technical Report CUCS-022-10, Department of 
Computer Science, Columbia University, September 2010. 

• Elli Androulaki, Binh Vo, and Steven M. Bellovin. Privacy-preserving, taxable 
bank accounts. In Proceedings of the European Symposium on Research in 
Computer Security (ESORICS), Athens, September 2010. Longer version issued 
as Tech Report CUCS-005-10. 

• Elli Androulaki, Binh Vo, and Steven M. Bellovin. Privacy-preserving, tax¬ 
able bank accounts. Technical Report CUCS-005-10, Department of Computer 
Science, Columbia University, April 2010. 

• Steven M. Bellovin. Identity and security. IEEE Security & Privacy, 8(2), 
March-April 2010. 

• Steven M. Bellovin. Perceptions and reality. IEEE Security & Privacy, 8(5), 
September-October 2010. 

• Elli Androulaki, Binh Vo, and Steven M. Bellovin. Cybersecurity through iden¬ 
tity management. In Engaging Data: First International Forum on the Applica¬ 
tion and Management of Personal Electronic Information, October 2009. 

• Steven M. Bellovin and Randy Bush. Configuration management and security. 
IEEE Journal on Selected Areas in Communications, 27(3):268-274, April 2009. 

• Shaya Potter, Steven M. Bellovin, and Jason Nieh. Two person control admin¬ 
istration: Preventing administration faults through duplication. In LISA ’09, 
November 2009. 

• Maritza Johnson, Steven M. Bellovin, Robert W. Reeder, and Stuart Schechter. 
Laissez-faire file sharing: Access control designed for individuals at the end¬ 
points. In New Security Paradigms Workshop, September 2009. 

• Hang Zhao and Steven M. Bellovin. Source prefix filtering in ROFL. Technical 
Report CUCS-033-09, Department of Computer Science, Columbia University, 
July 2009. 

• Yuu-Heng Cheng, Mariana Raykova, Alex Poylisher, Scott Alexander, Martin 
Eiger, and Steve M. Bellovin. The Zodiac policy subsystem: a policy-based 
management system for a high-security MANET. In IEEE Policy 2009, July 
2009. Longer version issued as CUCS-023-09. 

• Yuu-Heng Cheng, Scott Alexander, Alex Poylisher, and Mariana Raykova Steven M. 
Bellovin. The Zodiac policy subsystem: a policy-based management system for 

a high-security MANET. Technical Report CUCS-023-09, Department of Com¬ 
puter Science, Columbia University, May 2009. 
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• Elli Androulaki and Steven M. Bellovin. An anonymous credit card system. 
In Proceedings of 6th International Conference on Trust, Privacy & Security in 
Digital Business (TrustBus), September 2009. Longer version issued as Tech 
Report CUCS-010-09. 

• Elli Androulaki and Steven M. Bellovin. An anonymous credit card system. 
Technical Report CUCS-010-09, Department of Computer Science, Columbia 
University, February 2009. 

• Elli Androulaki and Steven M. Bellovin. Anonymous delivery of physical ob¬ 
jects. In Symposium on Privacy-Enhancing Technologies (PET), July 2009. 

• Elli Androulaki and Steven M. Bellovin. A secure and privacy-preserving tar¬ 
geted ad-system. Technical Report CUCS-044-09, Department of Computer 
Science, Columbia University, October 2009. A revised version will appear at 
the 1st Workshop on Real-Life Cryptographic Protocols and Standardization. 

• Mariana Raykova, Binh Vo, Tal Malkin, and Steven M. Bellovin. Secure anony¬ 
mous database search. In Proceedings of the ACM Cloud Computing Security 
Workshop, November 2009. 

• S. Bellovin. Guidelines for Specifying the Use of IPsec Version 2. RFC 5406, 
RFC Editor, February 2009. 

• Steven M. Bellovin. The government and cybersecurity. IEEE Security & Pri¬ 
vacy, 7(2), March-April 2009. (Ignore the part that says I work for Microsoft—I 
don’t... The editor and I both missed that in the galleys.). 

• Steven M. Bellovin. Security as a systems property. IEEE Security & Privacy, 
7(5), September-October 2009. 

• Maritza Johnson, Chaitanya Atreya, Adam Aviv, Mariana Raykova, Steven M. 
Bellovin, and Gail Kaiser. RUST: The reusable security toolkit, 2008. Draft. 

• Steven M. Bellovin, Matt Blaze, Whitfield Diffie, Susan Landau, Peter G. Neu¬ 
mann, and Jennifer Rexford. Risking communications security: Potential haz¬ 
ards of the “Protect America Act”. IEEE Security & Privacy, 6( 1):24—33, 
January-February 2008. 

• Kyle Dent and Steven M. Bellovin. Newspeak: A secure approach for designing 
web applications. Technical Report CUCS-008-08, Department of Computer 
Science, Columbia University, February 2008. 

• Hang Zhao, Jorge Lobo, and Steven M. Bellovin. An algebra for integration 
and analysis of Ponder2 policies. In Proceeding of the 9tlr IEEE Workshop on 
Policies for Distributed Systems and Networks, June 2008. 

• Hang Zhao, Chi-Kin Chau, and Steven M. Bellovin. ROFL: Routing as the 
firewall layer. In New Security Paradigms Workshop, September 2008. A 
version is available as Technical Report CUCS-026-08. 
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• Maritza Johnson, Chaitanya Atreya, Adam Aviv, Mariana Raykova, Steven M. 
Bellovin, and Gail Kaiser. RUST: A retargetable usability testbed for website 
authentication technologies. In Usenix Workshop on Usability, Psychology, and 
Security, April 2008. 

• Maritza Johnson and Steven M. Bellovin. Security assurance for web device 
APIs. In Security for Access to Device APIs from the Web - W3C Workshop , 
December 2008. 

• Elli Androulaki, Mariana Raykova, Angelos Stavrou, and Steven M. Bellovin. 
PAR: Payment for anonymous routing. In Proceedings of the 8th Privacy En¬ 
hancing Technologies Symposium, July 2008. 

• Elli Androulaki, Seung Geol Choi, Steven M. Bellovin, and Tal Malkin. Rep¬ 
utation systems for anonymous networks. In Proceedings of the 8th Privacy 
Enhancing Technologies Symposium, July 2008. 

• Olaf Maennel, Randy Bush, Luca Cittadini, and Steven M. Bellovin. A better 
approach than carrier-grade-NAT. Technical Report CUCS-041-08, Department 
of Computer Science, Columbia University, September 2008. 

• Steven M. Bellovin. Security by checklist. IEEE Security & Privacy, 6(2), 
March-April 2008. 

• Steven M. Bellovin. The puzzle of privacy. IEEE Security & Privacy, 6(5), 
September-October 2008. 

• Steven M. Bellovin, Matt Blaze, Whitfield Diffie, Susan Landau, Peter G. Neu¬ 
mann, and Jennifer Rexford. Internal surveillance, external risks. Communica¬ 
tions of the ACM, 50(12), December 2007. 

• Hang Zhao and Steven M. Bellovin. Policy algebras for hybrid firewalls. Tech¬ 
nical Report CUCS-017-07, Department of Computer Science, Columbia Uni¬ 
versity, March 2007. Also presented at the Annual Conference of the ITA, 2007. 

• Sotiris Ioannidis, Steven M. Bellovin, John Ioannidis, Angelos D. Keromytis, 
Kostas Anagnostakis, and Jonathan M. Smith. Coordinated policy enforcement 
for distributed applications. International Journal of Network Security, 4(1):69- 
80, January 2007. 

• Steven M. Bellovin and William R. Cheswick. Privacy-enhanced searches us¬ 
ing encrypted Bloom filters. Technical Report CUCS-034-07, Department of 
Computer Science, Columbia University, September 2007. 

• Elli Androulaki, Mariana Raykova, Angelos Stavrou, and Steven M. Bellovin. 
Opentor: Anonymity as a commodity service. Technical Report CUCS-031-07, 
Department of Computer Science, Columbia University, September 2007. 

• Elli Androulaki, Seung Geol Choi, Steven M. Bellovin, and Tal Malkin. Repu¬ 
tation systems for anonymous networks. Technical Report CUCS-029-07, De¬ 
partment of Computer Science, Columbia University, September 2007. 
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• S. Bellovin. Key Change Strategies for TCP-MD5. RFC 4808, RFC Editor, 
March 2007. 

• Steven M. Bellovin. DRM, complexity, and correctness. IEEE Security & 
Privacy, 5(1), January-February 2007. 

• Steven M. Bellovin. Seers and craftspeople. IEEE Security & Privacy, 5(5), 
September-October 2007. 

• Paula Hawthorn, Barbara Simons, Chris Clifton, David Wagner, Steven M. Bellovin, 
Rebecca Wright, Arnold Rosenthal, Ralph Poore, Lillie Coney, Robert Gellman, 
and Harry Hochheiser. Statewide databases of registered voters: Study of accu¬ 
racy, privacy, usability, security, and reliability issues, February 2006. Report 
commissioned by the U.S. Public Policy Committee of the Association for Com¬ 
puting Machinery. 

• Steven M. Bellovin, Matt Blaze, Ernest Brickell, Clinton Brooks, Vint Cerf, 
Whitfield Diffie, Susan Landau, Jon Peterson, and John Treichler. Security 
implications of applying the Communications Assistance to Law Enforcement 
Act to Voice over IP, 2006. 

• Steven M. Bellovin, David D. Clark, Adrian Perrig, and Dawn Song. Workshop 
report: Clean-slate design for the next-generation secure Internet, March 2006. 
NSL workshop report. 

• Ka-Ping Yee, David Wagner, Marti Hearst, and Steven M. Bellovin. Prerendered 
user interfaces for higher-assurance electronic voting. In UsenixJACCURATE 
Electronic Voting Technology Workshop , August 2006. An earlier version ap¬ 
peared as Technical Report UCB/EECS-2006-35. 

• Steven M. Bellovin, Angelos Keromytis, and Bill Cheswick. Worm propagation 
strategies in an IPv6 Internet. ;login:, pages 70-76, Lebruary 2006. 

• Steven M. Bellovin. Virtual machines, virtual security. Communications of the 
ACM , 49(10), October 2006. “Inside RISKS” column. 

• Steven M. Bellovin and Eric K. Rescorla. Deploying a new hash algorithm. In 
Proceedings of NDSS ’06, 2006. 

• S. Bellovin and A. Zinin. Standards Maturity Variance Regarding the TCP MD5 
Signature Option (RFC 2385) and the BGP-4 Specification. RFC 4278, RFC 
Editor, January 2006. 

• Steven M. Bellovin. Unconventional wisdom. IEEE Security & Privacy, 4(1), 
January-February 2006. 

• Steven M. Bellovin. On the brittleness of software and the infeasibility of secu¬ 
rity metrics. IEEE Security & Privacy, 4(4), July-August 2006. 
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• Steven M. Bellovin, Matt Blaze, and Susan Landau. The real national-security 
needs for VoIP. Communications of the ACM, 48(11), November 2005. “Inside 
RISKS” column. 

• S. Bellovin and R. Housley. Guidelines for Cryptographic Key Management. 
RFC 4107, RFC Editor, lune 2005. 

• Steven M. Bellovin. Security and privacy: Enemies or allies? IEEE Security & 
Privacy, 3(3), May-June 2005. 

• Steven M. Bellovin. A look back at “Security problems in the TCP/IP protocol 
suite”. In Annual Computer Security Applications Conference, December 2004. 
Invited paper. 

• William Aiello, Steven M. Bellovin, Matt Blaze, Ran Canetti, John Ioannidis, 
Angelos D. Keromytis, and Omer Reingold. Just fast keying: Key agreement 
in a hostile Internet. ACM Transactions on Information and System Security 
(TISSEC), 7(2): 1-32, May 2004. 

• Steven M. Bellovin. Spamming, phishing, authentication, and privacy. Commu¬ 
nications of the ACM, 47(12), December 2004. “Inside RISKS” column. 

• Steven M. Bellovin. Cybersecurity research needs, July 2003. Testimony before 
the House Select Committee on Homeland Security, Subcommittee on Cyberse¬ 
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FBI’s ‘Carnivore’ Program” by the Subcommittee on the Constitution, House 
Judiciary Committee. 

• Matt Blaze and Steven M. Bellovin. Tapping on my network door. Communica¬ 
tions of the ACM, 43(10), October 2000. 
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2013-2015 

Member, National Research Council study committee on FAA Next Gen¬ 
eration Air Traffic Control System 

2012-now 

Member, National Research Council study committee on Cybersecurity 
Foundations 

2010-now 

Member, Computer Science and Telecommunications Board of the Na¬ 
tional Academies 

2009-2012 

Member, Technical Guidelines Development Committee of the Elections 
Assistance Commission 

2008 

Co-chair, Applied Cryptography and Network Security (ACNS) 

2006 

Chair, Steps Towards Reducing Unwanted Traffic in the Internet (SRUTI) 

2005-now 

Member, Department of Homeland Security Science and Technology 
Advisory Committee 

2004-2007 

Member, National Research Council study committee on cybersecurity 
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2002-2004 

Member, ICANN DNS Security and Stability Advisory Committee. 

2002-2004 

Security Area co-director, Internet Engineering Task Force (IETF). 

2002 
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2001 
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U.S. Patents 

8,798,614 Enhanced communication service for predicting and handling communica¬ 
tion interruption 

8,676,916 Method and Apparatus for Connection to Virtual Private Networks for Se¬ 
cure Transactions 

8,239,531 Method and Apparatus for Connection to Virtual Private Networks for Se¬ 
cure Transactions 

8,145,793 System and Method for Distributed Content Transformation 

8,107,479 Method and System for Telephony and High Speed Data Access on a Broad¬ 
band Access Network 

8,037,167 Method for Detecting Hosts behind Network Address Translators 

7,907,517 Routing Protocols with Predicted Outage Notification 

7,756,008 Routing Protocols with Predicted Outage Notification 

7,676,224 Enhanced Communication Service for Predicting and Handling Communi¬ 
cation Interruption (2010). 

7,558,970 Full-Text Privacy-enhanced searches using encryption 

7,227,843 Method for reducing congestion in packet-switched networks (2007). 

7,051,365 Method and apparatus for a distributed firewall (2006). 

7,035,410 Method and apparatus for enhanced security in a broadband telephony net¬ 
work (2006). 

6,870,845 Method for providing privacy by network address translation (2005). 

6,665,299 Method and system for telephony and high speed data access on a broadband 
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5,958,052 Method and apparatus for restricting access to private information in domain 
name systems by filtering information (1999). 

5,870,557 Method for determining and reporting a level of network activity on a com¬ 
munications network using a routing analyzer and advisor (1999). 
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5,805,820 Method and apparatus for restricting access to private information in domain 
name systems by redirecting query requests (1998). 

5,440,635 Cryptographic protocol for remote authentication (1995). 

5,241,599 Cryptographic protocol for secure communications (1993). 

Numerous other patent applications are pending. 
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